It seems the locale or timezone I'm using for the date filter is applying an extra hour to the timestamp.
The date filter is applied to the log_timestamp field and results in an extra hour applied:
I've tried both of these date filters but +1 hr always gets added to @timestamp`
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss,SSS" ]
locale => "en"
}
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss,SSS ZZ" ]
locale => "en"
timezone => "GMT+0"
}
I've also tried to manually set a timezone for the log_timestamp field add_field => [ "log_timestamp", "%{year}-%{month}-%{day} %{time},%{ms} +00:00" ]
How should I configure date filter so that the log_timestamp field and @timestamp match
What timezone are you in, i.e. what timezone is "July 8th 2015, 14:01:31.013" in? And what's the actual value of the @timestamp field rather than the possibly timezone-adjusted field that Kibana displays? The Kibana interface should allow you to look at the source message. (And why do you have two date filters with different timezone settings?)
And then Kibana will display the timestamp in its own timezone Z rather than the timezone of the original log statement provided by the field passed to the date filter.
The date filter does the right thing. The input timezone is UTC and the date filter always stores UTC in the @timestamp field so no adjustment is necessary. Kibana by default adjusts the UTC time to the local timezone for display purposes.
What about if I am storing logs that were generated in different timezones? I agree all timestamps will be in UTC in my elasticsearch. However kibana will display the data based on my web browser timezone. Imagine now my web browser is in a completely different timezone, every time I see a dashboard I have to think where those logs where generated and make time-maths to catch the real time :(.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
